An Email to Jane

On Thu, 25 Apr 2002, Jane wrote:

Warning. Virus alert. My computer has been infected with a virus. You may have received an email from me that contains this virus. Please be careful about opening emails from me and make sure you are protected by using anti-virus software. Sorry about the inconveinience. --- Jane.

Hi Jane;

Here are some notes. We get 3000 emails per month. So I have to fight viruses also, I try to keep on top of them. Send this to your friends - it will make life easier if they know how _all_ of these email viruses can be prevented.

Dont trust virus software. The fixes are always available after the virus is out, not before. You could be the first on your block to be infected, and then the virus software is not going to do any good. And you will not know about it at first. It is much easier to just avoid a few lame and leaky Microsoft products..

If you have the latest virus, it will be the MicroSoft Outlook Klez.H email worm (there are currently 4 varieties and clones). But you will never know, because it makes fake connections to MX machines, sends 125 KByte infested files to your friends, and writes fake return address.

I have been getting three or four a day -- I cannot trace them, because half the envelopes and headers are faked. Anyone with Windows who previews their email also gets infected immediately.

The "subject" reads like one of these.. (but there are many more)

You could also get the one which goes, "Subject: Jane, honey".

It can even send a message telling you have a virus, and what to do about it, except the instructions will get your machine infected.

The text is in html and munged, so probably anyone opening the email immediately gets screwed. I dont know, I bounce anything that big before it reaches my mailbox. I use Linux as the internet connection and email box; I also use Windows; but I have no anti-virus programs at all, and have not had them in the last 6 years or so, and no problems.

My Linux solution is to intercept these enmails on the fly with a procmail script, as follows ...

# -- Klez Check filter
:0
* > 100000
/dev/null

That deletes all emails larger than 100 Kilobytes as they are received, and before they get into my mailbox. Nothing much else you can do.

The current crop of viruses and worms all depend on faults in Microsoft products, they all depend on security holes in Microsoft Outlook or Outlook Express, on faults with Microsoft's JavaScript (and Active-X), and on people using the Microsoft Explorer browser for their email.

Microsoft puts out a change (a "fix") to Outlook every three days. They have been doing that for two years. But things are no better. Often the fixes cause more problems than they fix.

Here are some of the recent viruses, and Java, Hotmail, plaintext notes, starting with "Klez"...

"Win32.Klez.H, Win32/Klez.H.Worm, WORM_KLEZ.G, Win32.Klez.H at mm"
mass mailing, network aware worm, April 17, 2002 Contains HTML code which exploits the "Incorrect MIME Header" vulnerability in Internet Explorer, Outlook and Outlook Express. Sends infected files to all entries in the addressbook, using other entries as return addresses. Makes MX connections with faked return identification; some versions fake the first envelop line also.
"Bubbleboy, Seinfeld, BBV" Email worm
This was one of the first email bugs, two years ago: Windows 32-bit systems running Microsoft Outlook and Outlook Express Description: Bubbleboy is the first worm able to spread via e-mail simply by viewing the message in the preview pane of Outlook Express or opening the message in Outlook.
"BadTrans, W32.Badtrans.b" virus, Nov 2001.
Microsoft Outlook and Outlook Express, using Internet Explorer version 5.0 or 5.5. It infects by email appearing in the Preview Pane. Send attachments "FUN, HUMOR, DOCS, S3MSONG, Sorry_about_yesterday, ME_NUDE, CARD, SETUP, SEARCHURL, YOU_ARE_FAT!, HAMSTER, NEWS_DOC, New_Napster_Site, README, IMAGES, PICS."
"BleBla, Verona, Romeo-and-Juliet, I-Worm.Blebla" Internet Worm
Systems Affected: Windows 32-bit systems running Microsoft Internet Explorer 4.0, 4.01, 5.0, and 5.01 Spams alt.comp.virus newsgroup, using security vulnerabilities in Microsoft products that allow the worm to execute by reading email.
"Davinia, HTML/Davinia, HTML/LittleDavinia"
Javascript (Microsoft Active X) Worm, received via email Windows systems running Microsoft Office 2000 products Irretrievably overwrites all files on the drive.
"Kak, Kagou-Anit-Kro$oft"
Javascript Worm received via email Windows 95/98 running Outlook Express 5.0 Description: On the first day of each month, if it is 1800 (6pm) hours or later, an alert box will be displayed and Windows will be shut down. Sent out via email elsewhere.
"Nimda" email virus
From infected Microsoft IIS server websites, also emails itself with attachment "README.EXE" Microsoft Windows (95/98/NT/2000/ME), Microsoft IIS servers, Microsoft Outlook and Outlook Express, Microsoft Internet Explorer 5.01 or 5.5 (infects simply by you previewing the email in the Preview Pane) Hammers adjacent websites, looking for Microsoft IIS Server. (At Spaces.org I was getting 30,000 bogus requests per hour in November of last year - but we use Linux.)
"VBS/Forgotten" mass-mailing email worm
HMTL email embedded Microsoft Outlook, and Microsoft Active-X (lost the damage details)
JavaScript makes e-mail bugging easy
By: Thomas C Greene in Washington

Posted: 05/02/2001 at 16:59 GMT

A simple bit of invisible JavaScript code can enable the sender of an e-mail memo to intercept all recipients' comments when the memo is forwarded, the Privacy Foundation has announced in an advisory. The exploit enables monitoring the forwarded path of an e-mail message and written comments attached.

"Affected e-mail readers include Outlook, Outlook Express, and Netscape 6 Mail. Earlier versions of Netscape are not affected because they do not support all the features of the JavaScript Document Object Model (DOM). Also Eudora and the AOL 6.0 email readers are not affected because JavaScript is turned off by default. Hotmail and other Web-based email systems automatically remove JavaScript programs from incoming email messages and therefore are not vulnerable."

other news:
"A flaw that allows an intruder to hijack an MSN Messenger user's account and virtually impersonate the innocent victim in cyberspace has been fixed, Microsoft Corp. announced Monday. Meanwhile, the company said it is investigating reports that new MSN Messenger users who sign up for the service could find their account already populated with contact information from someone else's account...."
and just a note: "The Joy of Plaintext"
Wednesday, August 8, 2001
http://www.winterspeak.com/columns/080801.html
Zimran Ahmed

Microsoft hates the fact that email is in plaintext. My Outlook Express client is buggy when it comes to handling the simplest of all tasks: receiving and responding to a text email. I've fiddled with all the internal settings, trying to get it to convert HTML mail to text, responding in text, and including all these simple plaintext protocols like adding ">" to quoted parts of an email I'm responding to. But my Outlook still insists on having things pop-up in tiny, colored fonts that are impossible to read, and then not tagging quoted text. In this environment, emails quickly bloat and become incoherent.

This hatred of plaintext is also evident in Hotmail, Microsoft's Trojan horse to Passport. The web-based text editor actually allows you to format your mail using bold, italic, and underline etc. Insanity even when it doesn't crash your browser. I'm glad AOL is still holding out against this sort of nonsense. I hope it continues to do so.

Why does Microsoft hate plaintext? One possible reason is it comes from the PC-world where having a printer was all important, and don't understand that desktop publishing functions like bold, italic, and underline make no sense in the networked world, where data is rarely printed out. But I think they're smarter than that. The real reason Microsoft hates plaintext is because it makes lock-in impossible. Plaintext can be created by anything and read by anything. It is the cleanest, simplest, least proprietary way of passing information from A to B. The Unix culture, where interoperability is God, understands this, and has raised simple programs passing plaintext to a high Art. By contrast, Microsoft thinks interoperability is Satan and focuses on locking-in customers and locking-out competitors, using proprietary file formats like .doc to extend its monopoly. Plaintext is the enemy of proprietary standards. It is also the enemy of monolithic programs that are conservative in what they try to do and liberal in what input they accept. Microsoft understands this well, so is trying to kill the format.

The average computer user does not understand the power of plaintext. They don't know how to work in the networked world and see no problems with storing notes that will never be printed in Word documents. In time, businesses that understand how to operate in a networked environment will realize what Unix users have known all along -- keeping information in plaintext allows for faster searching, delivery, and manipulation. And if businesses reinvent themselves along these principles, they will gain competitive advantage over their competitors.

In the meantime, don't let Microsoft turn email into just another of their proprietary standards. Stick to plaintext.

What can you do?

And none of these other programs ask you for your name, age, gender, address, accupation, income range, religious affiliation, and then sell that information to internet spammers.

[back]

[] ISP: Counterpoint Networking,
Website Provider: Outflux.net, www.Outflux.net
URL:http://jnocook.net/junkmail/outlook.htm